CISA has added five actively exploited vulnerabilities to its KEV catalog, including critical flaws in Apple's WebKit and kernel, Craft CMS, and Laravel Livewire, with federal agencies required to patch by April 3, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch them by April 3, 2026. The vulnerabilities span Apple's ecosystem, Craft CMS, and Laravel Livewire, with exploitation linked to sophisticated threat actors including Iranian state-sponsored groups.
Critical Apple Vulnerabilities Added to KEV
Three memory corruption vulnerabilities in Apple's WebKit and kernel components have been flagged for immediate remediation:
- CVE-2025-31277 (CVSS 8.8): Affects Apple WebKit, potentially causing memory corruption when processing maliciously crafted web content. Patched in July 2025.
- CVE-2025-43510 (CVSS 7.8): Kernel component vulnerability allowing malicious applications to cause unexpected memory changes between processes. Patched in December 2025.
- CVE-2025-43520 (CVSS 8.8): Kernel component flaw enabling unexpected system termination or kernel memory writes. Patched in December 2025.
These Apple vulnerabilities are reportedly part of the DarkSword iOS exploit kit, which leverages multiple bugs to deploy malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. Security researchers from Google Threat Intelligence Group, iVerify, and Lookout have documented these exploitation patterns.
Content Management and Web Framework Flaws
Two critical vulnerabilities in popular web technologies have also been added to the KEV catalog:
- CVE-2025-32432 (CVSS 10.0): A code injection vulnerability in Craft CMS allowing remote attackers to execute arbitrary code. Patched in April 2025 but exploited as a zero-day since February 2025 by unknown threat actors.
- CVE-2025-54068 (CVSS 9.8): A code injection vulnerability in Laravel Livewire enabling unauthenticated attackers to achieve remote command execution in specific scenarios. Patched in July 2025.
Iranian State-Sponsored Exploitation
CVE-2025-54068 has been specifically linked to MuddyWater (aka Boggy Serpens), an Iranian state-sponsored hacking group. According to Palo Alto Networks Unit 42, the group has been targeting diplomatic and critical infrastructure across the Middle East and globally, including energy, maritime, and financial sectors.
Unit 42 reports that MuddyWater employs AI-enhanced malware implants with anti-analysis techniques for long-term persistence. The group uses a custom-built, web-based orchestration platform to automate mass email delivery while maintaining granular control over sender identities and target lists.
Exploitation Patterns and Malware Deployment
Since February 2025, the intrusion set tracked as Mimo (aka Hezb) has exploited CVE-2025-32432 to deploy cryptocurrency miners and residential proxyware. The vulnerability's exploitation as a zero-day was first assessed by Orange Cyberdefense SensePost.
MuddyWater's tradecraft includes hijacking accounts belonging to official government and corporate entities for spear-phishing attacks, abusing trusted relationships to evade reputation-based blocking systems. Between August 16, 2025, and February 11, 2026, the group conducted four distinct attack waves against an unnamed national marine and energy company in the UAE, deploying malware families including GhostBackDoor and Nuso (aka HTTP_VIP).
Broader Threat Landscape
The group's arsenal includes tools like UDPGangster and LampoRAT (aka CHAR), demonstrating sophisticated capabilities. Unit 42 notes that MuddyWater is maturing its threat profile by integrating established methodologies with refined mechanisms for operational persistence, including diversifying its development pipeline to include modern coding languages like Rust and AI-assisted workflows.
Attributed to the Iranian Ministry of Intelligence and Security (MOIS), MuddyWater primarily focuses on cyber espionage but has also been linked to disruptive operations, including targeting the Technion Israel Institute of Technology under the DarkBit ransomware persona.
Federal Agency Requirements
Federal agencies must patch these vulnerabilities by the April 3, 2026 deadline to comply with CISA's Binding Operational Directive. The KEV catalog serves as a prioritized list of known, actively exploited vulnerabilities that pose significant risk to federal networks.
Organizations outside the federal sector should also prioritize these patches, as the vulnerabilities affect widely used platforms and have demonstrated active exploitation in the wild. The combination of high CVSS scores, zero-day exploitation history, and state-sponsored targeting makes these flaws particularly critical for immediate remediation.
Comments
Please log in or register to join the discussion